Updated ibi-config to the new LCA API

Use SeedReconfig instead of the old clusterInfo Pass the cluster crypto in the SeedReconfig manifest Signed-off-by: Eran Cohen <[email protected]>
omertuc · Jan 23, 2024 · bbd287f · bbd287f
1 parent 3f2d396
commit bbd287f
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 10 deletions.
diff --git a/Makefile.ibi b/Makefile.ibi
@@ -78,15 +78,21 @@ ibi-certs:
 	./ibi/generate_certs.sh $(IBI_CLUSTER_NAME) $(IBI_DOMAIN)
 
 .PHONY: $(IBI_CLUSTER_CONFIG_PATH)
-$(IBI_CLUSTER_CONFIG_PATH):
+$(IBI_CLUSTER_CONFIG_PATH): ibi-certs
 	mkdir -p $(shell dirname $(IBI_CLUSTER_CONFIG_PATH))
 	rm -rf $@
-	MASTER_IP=$(shell virsh domifaddr ${IBI_VM_NAME} | grep ipv4 | awk -F " " '{print $$4}' | cut -d'/' -f1) \
+	NODE_IP=$(shell virsh domifaddr ${IBI_VM_NAME} | grep ipv4 | awk -F " " '{print $$4}' | cut -d'/' -f1) \
 	CLUSTER_ID=$(shell uuidgen) \
 	VM_NAME=$(IBI_VM_NAME) \
+	SEED_VERSION=$(SEED_VERSION) \
 	CLUSTER_NAME=$(IBI_CLUSTER_NAME) \
 	DOMAIN=$(IBI_DOMAIN) \
 	HOSTNAME=$(IBI_HOSTNAME) \
+	LOCALHOST_SIGNER_PRIVATE_KEY="$(shell awk 'NF {sub(/\r/, ""); printf "%s\\n",$$0;}' ibi-certs/localhost-serving-signer-key.pem)" \
+	SERVICE_NETWORK_SIGNER_PRIVATE_KEY="$(shell awk 'NF {sub(/\r/, ""); printf "%s\\n",$$0;}' ibi-certs/service-network-serving-signer-key.pem)" \
+	LOADBALANCER_SIGNER_PRIVATE_KEY="$(shell awk 'NF {sub(/\r/, ""); printf "%s\\n",$$0;}' ibi-certs/loadbalancer-serving-signer-key.pem)" \
+	ADMIN_CA_CERT="$(shell awk 'NF {sub(/\r/, ""); printf "%s\\n",$$0;}' ibi-certs/admin-kubeconfig-signer.crt)" \
+	INGRESS_CA_KEY="$(shell awk 'NF {sub(/\r/, ""); printf "%s\\n",$$0;}' ibi-certs/ingresskey-ingress-operator-key.pem)" \
 	envsubst < $(IBI_CLUSTER_CONFIG_TEMPLATE) > $@
 
 .PHONY: $(IBI_CLUSTER_CONFIG_MANIFESTS)
@@ -97,7 +103,7 @@ $(IBI_CLUSTER_CONFIG_MANIFESTS):
 ibi-config: $(IBI_CLUSTER_CONFIG_PATH) $(IBI_CLUSTER_CONFIG_MANIFESTS)
 
 .PHONY: ibi-config.iso
-ibi-config.iso: ibi-certs ibi-config ## Create ibi-config.iso
+ibi-config.iso: ibi-config ## Create ibi-config.iso
 	mkisofs -o $@ -R -V "relocation-config" $(IBI_CONFIG_DIR)
 	cp $@ $(LIBVIRT_IMAGE_PATH)
 

diff --git a/ibi-manifest.template b/ibi-manifest.template
@@ -1,2 +1,24 @@
-{"version":"4.14.5","domain":"${DOMAIN}","cluster_name":"${CLUSTER_NAME}","cluster_id":"${CLUSTER_ID}","master_ip":"${MASTER_IP}","release_registry":"quay.io","hostname":"${HOSTNAME}"}
-
+{
+  "api_version": 1,
+  "base_domain": "${DOMAIN}",
+  "cluster_name": "${CLUSTER_NAME}",
+  "cluster_id": "${CLUSTER_ID}",
+  "node_ip": "${NODE_IP}",
+  "release_registry": "quay.io",
+  "hostname": "${HOSTNAME}",
+  "KubeconfigCryptoRetention": {
+    "KubeAPICrypto": {
+      "ServingCrypto": {
+        "localhost_signer_private_key": "${LOCALHOST_SIGNER_PRIVATE_KEY}",
+        "service_network_signer_private_key": "${SERVICE_NETWORK_SIGNER_PRIVATE_KEY}",
+        "loadbalancer_external_signer_private_key": "${LOADBALANCER_SIGNER_PRIVATE_KEY}"
+      },
+      "ClientAuthCrypto": {
+        "admin_ca_certificate": "${ADMIN_CA_CERT}"
+      }
+    },
+    "IngresssCrypto": {
+      "ingress_ca": "${INGRESS_CA_KEY}"
+    }
+  }
+}
diff --git a/ibi/generate_certs.sh b/ibi/generate_certs.sh
@@ -58,9 +58,6 @@ openssl req -new -key "${CERT_DIR}/${USER_NAME}-key.pem" -out "${CERT_DIR}/${USE
 # Sign the user's CSR with the CA
 openssl x509 -req -in "${CERT_DIR}/${USER_NAME}-csr.pem" -CA "${CERT_DIR}/${CA_NAME}.crt" -CAkey "${CERT_DIR}/${CA_NAME}-key.pem" -CAcreateserial -out "${CERT_DIR}/${USER_NAME}-crt.pem" -days 365
 
-# Copy the CA certificate used to sign the system:admin-crt.pem into config/certs as the admin-kubeconfig-client-ca.crt
-cp "${CERT_DIR}/${CA_NAME}.crt" ${CONFIG_CERT_DIR}/admin-kubeconfig-client-ca.crt
-
 # Function to generate keys and self-signed certificates
 generate_self_signed_certs() {
     local SIGNER_NAME="$1"
@@ -74,8 +71,6 @@ generate_self_signed_certs() {
     # Self-sign the CSR to generate the CA certificate
     openssl x509 -req -in "${CERT_DIR}/${SIGNER_NAME}-csr.pem" -signkey "${CERT_DIR}/${SIGNER_NAME}-key.pem" -out "${CERT_DIR}/${SIGNER_NAME}.crt" -days 365 -extensions v3_req  -extfile "$config_file"
 
-    # Copy the signer key to the certs dir under the config directory
-    cp "${CERT_DIR}/${SIGNER_NAME}-key.pem" ${CONFIG_CERT_DIR}/${SIGNER_NAME}.key
 }
 
 # Generate serving-signer certificates